Tribal Cybersecurity Grant Program Key Changes

Overview

The Tribal Cybersecurity Grant Program (TCGP) focuses on strengthening the cybersecurity and resilience of Tribal governments’ information systems. The TCGP enables the Department of Homeland Security (DHS) to provide targeted cybersecurity resources in support of Tribal governments and their communities. This document outlines key changes for the Fiscal Year (FY) 2025 TCGP.

Program Goals, Objectives, and Priorities

TCGP guidance is updated for each Notice of Funding Opportunity (NOFO) to ensure applicants remain on track to produce the intended outcomes related to the program’s goals, objectives, and priorities.

Program Goals and Objectives

The goal of TCGP is to assist Tribal governments with managing and reducing systemic cyber risk. Accomplishment of this goal can be achieved by implementing or revising Cybersecurity Plans, priorities, projects, and addressing TCGP objectives.

• Objective 1: Develop and establish appropriate governance structures, including by implementing or revising Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations.
• Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.
• Objective 3: Implement security protections commensurate with risk.
• Objective 4: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.

Applicants who received FY 2023 funding may submit an investment justification (IJ) containing a project that coincides with Objectives 1 through 4. A detailed overview of the program goals and objectives will not be included in the NOFO as an appendix. Instead, it is available as a webpage on CISA.gov at SLCGP and TCGP Goals and Objectives.

Cybersecurity Plan Revisions

One of the priority outcomes of TCGP is the development and approval of applicant Cybersecurity Plans. Applicants are required to have their Cybersecurity Plan approved by CISA. There is no requirement for an entity to revise their CISA-approved Cybersecurity Plan unless CISA notifies them that it does not meet plan requirements. CISA has streamlined the instructions and provided additional suggestions about the process for revising or updating a plan.

Cybersecurity Plans are intended to be living documents and a Tribal government, following submission of its final plan in its grant application, may later update that plan. FEMA and CISA are available to provide technical assistance to Tribal governments on Cybersecurity Plan development. Tribal governments can connect with their FEMA Tribal Liaisons if they need assistance in locating their respective CISA regional Cybersecurity Advisor or Cybersecurity State Coordinator.

Starting in FY 2025, the requirements for Cybersecurity Plans and additional suggestions for revising or updating will not be included in the NOFO as an appendix. Instead, those requirements and suggestions will be available as a webpage on CISA.gov at SLCGP and TCGP Cybersecurity Plans Overview.

FEMA Grants Outcomes (FEMA GO System)

Applicants must apply to TCGP on the new FEMA GO system. The previous Non-Disaster Grants (ND Grants) platform will become a legacy system. For more information about FEMA GO, please review Section 5. “Submission Requirements and Deadlines” of the TCGP NOFO and FEMA Grants Outcomes (FEMA GO) | FEMA.gov for additional guidance and tools.

Program Funding and Cost Share Requirement

The total funding allocated for the TCGP decreased from $18.1 million in FY 2023 to $12.1 million in FY 2025. Allocation percentages to Tribal governments remain the same. The funding for the TCGP for FY 2024 and FY 2025 is $9,142,996 and $3,021,975 respectively. FEMA and CISA combined the funding from both fiscal years into a single TCGP Notice of Funding Opportunity (NOFO), for a total of $12,164,971.  Eligible applicants must agree to make available non-federal funds to carry out a TCGP award in an amount not less than 40% of the total project costs (federal award amount plus cost share amount, rounded to the nearest whole dollar). The cost share for the multi-entity projects is 30% for FY 2025.

The Secretary of Homeland Security (or designee) may waive or modify the non-federal share for an individual entity if the entity demonstrates economic hardship. However, DHS is not able to provide additional funds even if it does grant a cost share waiver. All Cost Share Waiver requests must be submitted post-award by the eligible entity by emailing the request and supporting documentation to FEMA-TCGP@fema.dhs.gov.

FY 2025 Period of Performance (POP)

The FY 2025 POP is specified in the funding notice and remains 48 months from the date the awards are made. Unlike FY 2023 DHS will not consider requests for any extensions to the FY 2025 POP.

Application Materials

The following forms or information are required to be submitted via FEMA GO. The Standard Forms (SF) are also available at Forms | Grants.gov. 

• SF-424, Application for Federal Assistance
• Grants.gov Lobbying Form, Certification Regarding Lobbying
• SF-424B, Standard Assurances (Non-Construction)
• SF-LLL, Disclosure of Lobbying Activities

Post-Award Program-specific Required Documents, Forms and Information

There are no program-specific required documents and information at the time of application. The following program-specific forms or information are required to be submitted in FEMA GO after awards are made:

1. Cybersecurity Project Submissions
   1. Investment Justifications
   2. Project Worksheets (FEMA will provide recipients with a draft Project Worksheet)
   3. Detailed Budget Worksheet and Narrative (Appendix E, “Sample Budget Worksheet and Budget Narrative”)
   4. Negotiated Indirect Cost Rate Agreement (if applicable)
2. Cybersecurity Planning Committee Membership List and Charter
3. Cybersecurity Plan with required signatures (resubmissions of updated plan, if applicable)
4. SF-424A, Budget Information (Non-Construction) (as an attachment in FEMA GO)

All program-specific forms are available on Grants.gov and Tribal Cybersecurity Grant Program | FEMA.gov. Recipients can email questions about program-specific required documents, forms and information to FEMA-TCGP@fema.dhs.gov. User guides are available for TCGP IJs and PWs at Tribal Cybersecurity Grant Program | FEMA.gov. Additional programmatic guidance can be found at https://www.cisa.gov/cybergrants/tcgp. 

Performance Measures

CISA remains invested in collecting data to gauge program performance. In FY 2025, performance measures were adjusted to better inform applicants of the information CISA will collect through the program duration. Each performance measure now includes a recommended target range to better communicate how CISA will measure the program’s performance to applicants. Adjusted performance measures include the following:

• Percentage of tribes with CISA approved tribal Cybersecurity Plans (100% target range – statutorily required)
• Percentage of tribes with Tribal Cybersecurity Planning Committees that meet the Homeland Security Act of 2002 and TCGP funding notice requirements (100% target range – statutorily required)
• Percentage of tribes conducting annual tabletop and full-scale exercises to test Cybersecurity Plans (40% target range).
• Percent of the tribes’ TCGP budget allocated to exercises (10% target range).
• Average dollar amount expended on exercise planning for tribes (10% target range)
• Percentage of tribes conducting an annual cyber risk assessment to identify cyber risk management gaps and areas for improvement (70% target range).
• Percentage of tribes performing phishing training (50% target range).
• Percentage of tribes conducting awareness campaigns (90% target range).
• Percentage of tribes providing role-based cybersecurity awareness training to employees (60% target range).
• Percentage of tribes with capabilities to analyze network traffic and activities related to potential threats (60% target range).
• Percentage of tribes implementing multi-factor authentication (MFA) for all remote access and privileged accounts (70% target range).
• Percentage of tribes with programs to anticipate and discontinue end-of-life software and hardware (60% target range).
• Percentage of tribes prohibiting the use of known/fixed/default passwords and credentials (75% target range).
• Percentage of tribes operating under the “.gov” internet domain (50% target range).
• Number of cybersecurity gaps or issues addressed annually by tribes (50%).
• Percentage of tribe-created performance metrics that were met (50% target range).
• Percentage of tribes participating in CISA services (50% target range).
• Percentage of tribes that have implemented data encryption projects (50% target range).
• Percentage of tribes that have implemented enhanced logging projects (60% target range).
• Percentage of tribes that have implemented system reconstitution projects (60% target range).

Similar performance measures to those listed above have previously been included in the NOFO. CISA views the implementation of those best practices as informative in determining TCGP’s success. 

Required, Encouraged, and Optional Services, Memberships, and Resources

Tribal governments are no longer required to participate in the National Cybersecurity Review as a post-award requirement.

CISA has information about Cyber Protective Visits, the agency’s Cyber Resource Hub, and its Interoperable Communications Technical Assistance Program (ICTAP) to the list of Encouraged Services (Appendix C) in the NOFO. Cyber Protective Visits are performed by CISA’s regional Cybersecurity Advisors. The visits are designed to gauge a tribe’s interest in DHS’s cybersecurity offerings and help the advisor understand the tribe's cybersecurity needs and orientation within the broader landscape.